# https://crabgrass.riseup.net/riseuplabs+paow/openpgp-best-practices
# https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
#
# message digest algorithm used when signing a key
cert-digest-algo SHA512

# list of personal digest preferences. When multiple digests are supported by
# all recipients, choose the strongest one
personal-cipher-preferences AES256 AES192 AES CAST5
# when multiple digests are supported by all recipients, choose the
# strongest one:
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
# Set the list of default preferences to string.
# used for new keys and default for "setpref"
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed


# When searching for a key with --search-keys, include keys that are marked on
# the keyserver as revoked
keyserver-options include-revoked

# Only use secure keyservers
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=~/.gnupg/sks-keyservers.netCA.pem
keyserver-options no-honor-keyserver-url
# Don't leak DNS, see https://trac.torproject.org/projects/tor/ticket/2846
keyserver-options no-try-dns-srv

# when outputting certificates, view user IDs distinctly from keys:
fixed-list-mode

# short-keyids are trivially spoofed; it's easy to create a long-keyid
# collision; if you care about strong key identifiers, you always want
# to see the fingerprint:
keyid-format 0xlong
with-fingerprint
no-comments
no-emit-version

# If you use a graphical environment (and even if you don't)
# you should be using an agent: (similar arguments as
# https://www.debian-administration.org/users/dkg/weblog/64)
use-agent

# You should always know at a glance which User IDs gpg thinks are
# legitimately bound to the keys in your keyring:
verify-options show-uid-validity
list-options show-uid-validity

# include an unambiguous indicator of which key made a signature: (see
# http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g

# Anonymize the encryption by removing the key IDs from the pgp packet
#throw-keyids